Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 360
  • Last Modified:

How do I tell ISA to forward all requests for a network to another default gateway?

I'm not overly familiar with ISA, but we've had it for a while now and it seems to do a job and there doesn't seem to be an immediate need to swap it out, but i just can't work out how to do this!

We have site A connected via Cisco VPN in the 192.168.202.x range.  Our LAN (site B) is 192.168.1.x and the VPN terminates on 192.168.1.10.  The default gateway (the ISA server) of site B is 192.168.1.254.  If i want a computer on site B wants to talk to Site A, i add a persistent route on the computer to tell it to use 192.168.1.10 as the gateway and all is well.

I now have a scenario where an IP device on site A needs to connect to site B but doesn't have the facility to let me add another static route.  Can i tell ISA to forward any requests for 192.168.202.x that is receives to 192.168.1.10?  That would potentially mean i dont have to add any more routes

Many thanks

0
cjohnson300
Asked:
cjohnson300
  • 5
1 Solution
 
pwindellCommented:
The problem is not ISA, the problem is your WAN Design.
You are trying to make routing decisions on a LAN without a LAN Router.
You have to have a Router to make routing decisions,...ISA is not a Router.
Now if your LAN had more than one segment and you already had a LAN Router sitting between the segments then you would be home-free and would just let the LAN Router do the job it was meant to do,....but you don't have that,...so things actually get more complex.  Yep, that's right,...a single subnet LAN can become more complex than a multi-segment LAN due to the fact that it lacks capabilities and infrastructure.

Before someone says it, and I'm sure someone will,.....you cannot just add a static route to the ISA and have it "bounce" traffic over to the Cisco VPN Device.  This would create an Asynchronous Routing situation (which is bad),...this has the same effect and characteristics as "network spoofing" and the Intrusion detection facilities in ISA will not allow this.  ISA is an extremely thorough firewall product, the best on the market IMO,...it does its job,...most people's complaints are that it does its job too good and won't allow people to get away with improper sloppy network designs.

ISA can act as a rudimentary Router, but you have to plan the WAN properly in order for ISA to handle that.  The Cisco VPN Device should not come directly into the LAN on 192.168.1.10.  You should have:

1.  Added a 3rd Interface to the ISA.
2.  Create a "new" Network Definition on the ISA and choose the Type as "internal".  This would be a new IP Range different than anything you are using now.  You would also include in that the Private LAN  IP Range of the "Site A"
3. Set the Network Relationship to "routed" between the original Internal Network and the new Network you create.  Add a Static Route on the ISA machine to tell it to use the Cisco VPN Device to reach the SiteA's IP Ranges.
4. Create bidirectional Access Rules to allow traffic to flow in both directions between the two networks.
5. Change the LAN Facing IP# of the Cisco VPN Device to a valid IP# on this new Network and connect it to the ISA's new 3rd Interface. You could use a crossover cable or place a cheap switch or Hub between them.

It would physically look like this below. Note that this diagram was not created just for you,..it is generic,...so every tiniest detail of it may not fit you exactly.  So just pretend that the WAN Routers are your Cisco VPN Devices and the WAN2 segment is your VPN Tunnel.   WAN1, WAN3, and LAN2 would be what make up the new Network that you have to create on the ISA.   WAN3 and LAN2 would be the IP Ranges you have to account for in a Static Route on the ISA that is directed at the Cisco VPN Device

 isa-as-firewall-lan-router-in-si.jpg

 isa-as-firewall-lan-router-in-si.jpg
0
 
pwindellCommented:
One other tactic would be to make the Cisco VPN Device the LAN's Default Gateway. Then change the Default Gateway of the Cisco VPN Device  from whatever it is to point at the LAN Interface of the ISA.  Then change the Default gateway of all the LAN's Devices to point at the Cisco VPN Device.

However doing that would break the VPN Tunnel,..so you have to add a Static Route on the VPN Device so that it can find the VPN Device on the other side over the original path it was taking so that it could bring the VPN tunnel back up.

A last alternate option is that you could have created the VPN with the ISA itself (that is part of what it was built for) instead of adding any Cisco products.
0
 
cjohnson300Author Commented:
pwindell - many thanks for your answer, it must be the most comprehensive answer I've ever received!

I appreciate what you're saying, it was never my attention to use our ISA box as a router, I was just trying to get something to work as a short term solution until some proper network planning could be done.  

If ISA can't do it that's fine I'll need to find another way.
0
The Growing Need for Data Analysts

As the amount of data rapidly increases in our world, so does the need for qualified data analysts. WGU's MS in Data Analytics and maximize your leadership opportunities as a data engineer, business analyst, information research scientist, and more.

 
pwindellCommented:
I appreciate what you're saying, it was never my attention to use our ISA box as a router, I was just trying to get something to work as a short term solution until some proper network planning could be done.  

If ISA can't do it that's fine I'll need to find another way.


Ok,...I think you just missed the whole point.   I just spent all that time telling you how you can make ISA act as the LAN Router.  What I told you was not just an option or a simple suggestion that you can dismiss,...it is the way you have to do this and it should have been done this way from the beginning.

It was the last two options in my last post that I would consider simple options that you can dismiss.
0
 
pwindellCommented:
There is no "other way" to "find"
0
 
pwindellCommented:
Now I guess if you pulled out the ISA, and assuming the Cisco VPN Device is a regular Firewall (like and ASA), then you could run with only the Cisco bos as the Firewall and everything would work.  But you'd loose the ability to based internet access on who the user is rather than what machine they are sitting at.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now